Thread: Function security?

Function security?

From
stevew
Date:
I wish to control access to some tables, so I do not want to grant
select to all users. Instead I would like to use some functions which
return the info.

So I have some tables owned by admin
I have a user who does not have select permission on the tables owned by
admin.
admin has created some functions which perform some selects on admin's
tables.
When user runs these functions, user gets permission denied.

Is there a way to let the user be admin when running the functions ????

You can do this with Oracle.

Any help appreciated

Regards,

Steve


Re: [SQL] Function security?

From
wieck@debis.com (Jan Wieck)
Date:
>
> I wish to control access to some tables, so I do not want to grant
> select to all users. Instead I would like to use some functions which
> return the info.
>
> So I have some tables owned by admin
> I have a user who does not have select permission on the tables owned by
> admin.
> admin has created some functions which perform some selects on admin's
> tables.
> When user runs these functions, user gets permission denied.
>
> Is there a way to let the user be admin when running the functions ????
>
> You can do this with Oracle.

    PostgreSQL  doesn't support this kind of SETUID for functions
    or trigger procedures up to now (there are plans to do so but
    it didn't make it for v6.5).

    You  could  use  a  view instead, which presents the data you
    want to make accessible, and grant the  required  permissions
    on  the view.  The view should not contain any function calls
    that internally do  their  own  queries  (usually  over  SPI)
    because  these  function  internal queries are again executed
    under the current users permissions and would probably  fail.


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#========================================= wieck@debis.com (Jan Wieck) #